Hi all, I work as a security engineer in a mnc. yesterday I received a mail from our red team (authorized hackers) that they have comprised around 650 local and admin accounts. We were surprised to see that as we have siem tool to give an alert for any suspicious behaviour yet we received nothing. We did receive an alert for mimikatz in one of the pen testers system and he justified it as testing and authorized use. I think the comprise of accounts is related to mimikatz but we dont have any trace or idea how he did it and why our security tools didn't alert us. We are using Logrhtym as siem and fireye alerted as for mimikatz. Please help

18 Replies

In terms of improving your detection/alerting, it may depend on how these accounts are setup now and how much that can be changed. For example, if there's an account that's a local admin on a system, but it only ever needs to logon as a service, then you porbably should have measures that firstly, prevent it from logging on interactively and secondly detect it logging on in ways outside its intended use and outside the system its intended to run on.

It's going to be unpatched systems, weak passwords, SQL injection, non-secure AD, there are many ways in, and very few AV products will pick up the likes of MimiKatz or other pen test tools. I would wait for the report, there is no point trying to guess or get ahead of something you don't know.

yesterday I received a mail from our red team (authorized hackers) that they have comprised around 650 local and admin accounts.

Having this many potential targets is already a bad sign, you want to minimize the chance of someone getting admin rights, with 650 out of however many (could be 1000 accounts or 100,000 accounts, we don't know), this should be looked at, you should not have large numbers of admin accounts in the system, including locally as these make it easier for an attacker to get in, they only need one to get the rest quickly.

Cached credentials are also another very easy way in, non-encrypted laptops, 3rd party unpatched apps - the report will tell you how, and how to mitigate things, but know, you have a weakness in your network and it will need resolving, quickly.

systems are patched and most of them are running windows 7, I read somewhere that mimikatz can be used remotely to dump the credentials from the DC and I think this has happened and Is there any way to stop that.

Note that running code
directly on a target system is rarely desirable for an attacker, so Mimikatz is
continuously updated with new capability to be run remotely. This include
running Mimikatz remotely against a remote system to dump credentials, using Invoke-Mimikatzremotely with PowerShell Remoting, and DCSync, the latest
feature to grab password data for any Active Directory account in the domain
remotely against a DC without any Mimikatz code being run on the DC (it uses Microsoft’s Domain Controller official replication
APIs, once the correct rights are attained).

Be aware though you are paying them to find these vulnerabilities, so work with them on how to stop them, you might be concerned they got your passwords, but they are doing it in a safe, controlled and requested manner, you want them to find ways in so you can know where to tighten.

You'd rather they got in than the bad guys, as they will not tell you how, and by the time you know, they will be long gone with what they wanted.

1st Post

They could have used cached credentials to gain a foothold on a single system before using them to attack a domain controller and get the rest of the creds. You probably need to prevent domain admins from logging onto workstations at all. Have specific roles for each type of system and test to make sure they are only able to do what is needed to get the job done.

1

This topic has been locked by an administrator and is no longer open for commenting.